- Joined
- Jan 8, 2019
- Messages
- 56,604
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,446
- Points
- 2,313
- Credits
- 32,560
6 Years of Service
76%
LazyCSRF
LazyCSRF is a more useful CSRF PoC generator that runs on Burp Suite.
Motivation
Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is Generate CSRF PoC. However, it does not support JSON parameters. It also uses the <form>, so it cannot send PUT/DELETE requests. In addition, multibyte characters that can be displayed in Burp Suite itself are often garbled in the generated CSRF PoC. Those were the motivations for creating LazyCSRF.
Features
Support JSON parameter (like a request to the API)
Support PUT/DELETE (only work with CORS enabled with an unrestrictive policy)
Support displaying multibyte characters (like Japanese)
Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)
The difference in the display of multibyte characters
The following image shows the difference in the display of multibyte characters between Burp’s CSRF PoC generator and LazyCSRF. LazyCSRF can generate PoC for CSRF without garbling multibyte characters. This is only the case if the characters are not garbled on Burp Suite.